sharepointsharepoint-2019

How to Fix Issue with Retrieve Kerberos Ticket on behalf of the User in WAP


I have a Sharepoint 2019 on-premise running with Kerberos Authentication through ADFS Non-Claims Aware Relying party trust behind WAP. i have update the SSL certificate on all the sharepoint server farm and ADFS and WAP, now if i go through WAP and ADFS i am able to authenticate but after authentication sharepoint throws 500 error.

can any one tell how to update the Certificate properly on WAP and ADFS and also Sharepoint.

  1. I am using ADFS(Non-Claims Aware Relying party Trust) and WAP in front of the SP19 and ADFS and WAP are installed with new Certificate and i am able to get the login screen from ADFS with New Certificate.
  2. the SharePoint Pages are working if i login directly pointing the sharepoint IP, using Windows Authentication Popup.

Troubleshoot:-

  1. The connection between WAP and ADFS Proxy working fine.
  2. ADFS is able to Authenticate with my DC,
  3. Once Authentication completed, i am getting Error 500 the below Screen,
  4. Browser Inspect shows nothing useful
  5. Event Error found with the event ID 12027 on the WAP Server Unable to retrieve Kerberos Ticket for the User.

Solution

  • This Kerberos Ticket Issue is because of the Novemeber Windows patch Update on the domain controller.

    "After installing the November security updates, released November 9, 2021 on your Domain Controllers (DC) running a Windows Server versions listed below in affected platforms, you might have authentication failures on servers relating to Kerberos Tickets"

    Affected environments might be using the following:

    Resolution: This issue was resolved in the out-of-band update KB5008602 released November 14, 2021. It is a cumulative update, so you do not need to apply any previous update before installing it. To get the standalone package for KB5008602, search for it in the Microsoft Update Catalog. You can import this update into Windows Server Update Services (WSUS) manually. See the Microsoft Update Catalog for instructions. Note KB5008602 is not available from Windows Update and will not install automatically.

    Source - https://learn.microsoft.com/en-ca/windows/release-health/status-windows-10-1809-and-windows-server-2019#issue-details